Systems evolve over time

Mary Ursula HerrmannMary Ursula Herrmann is a Network Security Analyst living in Juneau, AK. She has worked in Information Security for over 15 years, and obtained her CISSP in 2005.

In the past, I've written about the cyclical nature of a security system of policies and procedures. Specifically, I wrote that security strategy is more like a spiral than like a wheel, because even though you come back to the starting point - your policy - over and over again, that starting point is not, or should not be, the same each time. Your security policy should and must change over time in order for you to maintain a healthy security posture, because the threats your enterprise faces also change over time.A lot of people take no issue with the need for policies and procedures to change over time in the face of changing threats, but somehow, they expect their IT requirements not to change. To give a very simple example, I once designed a security strategy for a firm that had only recently connected to the Internet. When they were originally designing their internal network, they weren't on the Internet, so they just used whatever IP addresses they wanted. When they later connected, they discovered that someone else owned the address space they'd been using for years by that point. I had to convince them that it really was necessary to change their address structure; fortunately, they also wanted to segment their network a little more, so they needed to renumber the network anyway. Had they not seen the need for segmentation, they might still be using someone else's network address space internally today.Most business owners take for granted the idea of being connected to the Internet, and using “inside” address space even if they don't know the meaning of the term or how it works. But 15 years ago, the Internet was relatively new technology, in terms of business. There is always new technology to consider, and that's why people joke about their computers being obsolete as soon as they're purchased. But year after year, requirements don't change, because it's more expensive to design something new than to keep using the same basic engine and only upgrade the components...until you find, like a really old car, that there are no longer parts to fit that model, and you must design something new.If your security policy is evolving, your IT systems need to evolve too - not just installing the latest patches, but constantly re-evaluating the system design. You can bet that your adversaries are doing that, and that's why the landscape of threats is always changing. Doing things the same old way will never suffice for long.

Morning Roundup

Business headlines from Crain's Cleveland Business and other Ohio newspapers — delivered FREE to your inbox every morning. Sign up for the Morning Newsletter.